added content about S/MIME

Signed-off-by: Olivier Gayot <duskcoder@gmail.com>

2 files changed, 113 insertions, 0 deletions

diff --git a/practicals.adoc b/practicals.adoc
index 84b7bac..4384192 100644
--- a/practicals.adoc
+++ b/practicals.adoc
@@ -6,3 +6,4 @@ include::dns.adoci[]
 include::ssl.adoci[]
 include::firewall.adoci[]
 include::pgp.adoci[]
+include::smime.adoci[]
diff --git a/smime.adoci b/smime.adoci
new file mode 100644
index 0000000..1ecf8e4
--- /dev/null
+++ b/smime.adoci
@@ -0,0 +1,112 @@
+== S/MIME Practical, Week 11 ==
+
+As for PGP, the purpose of this practical is to show us how to use S/MIME to
+encrypt, decrypt and digitally sign our emails.
+
+At the end of this practical, we should be able to send and receive emails with
+assurance of the identity of the senders. We will also be able not to worry
+whether someone else was able to read their content.
+
+=== Problem 1: Configuring S/MIME with mutt ===
+
+Though the support of S/MIME is present in 'mutt', it appears that it is very
+cumbersome to use. 'mutt' is expecting 'pkcs12' files (that we can produce with
+'openssl pkcs12'). Nevertheless, for some reason, it complains about our
+'pkcs12' files being not completely bagged.
+
+There is very few information about this issue on the web and most of the
+results are quite irrelevant.
+
+==== Resolution ====
+
+We will not use the builtin support of 'S/MIME' in 'mutt'. Instead, the manual
+pages 'openssl (1)' and 'smime (1)' describe us how to generate our emails
+using 'openssl smime'.
+
+The following command will create our email and encrypt it using
+ojgg2@kent.ac.uk's public key.
+
+    $ openssl smime -encrypt -out mail.p7m -from olivier.gayot@sigexec.com -to ojgg2@kent.ac.uk -subject "Encrypted message" -des3 certif.crt
+    This content is encrypted, can you read it?
+
+We can check that our email file is encrypted:
+
+    $ cat mail.p7m
+    > To: ojgg2@kent.ac.uk
+    > From: olivier.gayot@sigexec.com
+    > Subject: Encrypted message
+    > MIME-Version: 1.0
+    > Content-Disposition: attachment; filename="smime.p7m"
+    > Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m"
+    > Content-Transfer-Encoding: base64
+    >
+    > MIIBswYJKoZIhvcNAQcDoIIBpDCCAaACAQAxggFEMIIBQAIBADCBqDCBmjELMAkG
+    > A1UEBhMCRlIxETAPBgNVBAgMCExvcnJhaW5lMRMwEQYDVQQHDApCYXIgbGUgRHVj
+    > MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFjAUBgNVBAMMDU9s
+    > aXZpZXIgR2F5b3QxKDAmBgkqhkiG9w0BCQEWGW9saXZpZXIuZ2F5b3RAc2lnZXhl
+    > Yy5jb20CCQD94c8uK91F/zANBgkqhkiG9w0BAQEFAASBgLOKi60Rw/B0ZJDk78/x
+    > T0lmSSYhzaIfRJp5SMiH0zFodQFYVW7qBXFI1mXveD0e2k+jLl3phlQb/MXz47AH
+    > 6pj4OeE4Q0N+0NHmmoFKbN5s8xwH/0hBaLkEAes+ZCG1YjaEoIkPcc5VrGIMceJm
+    > Vh9GZRSQWo77J8q4EGzpTkZtMFMGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQICCUR
+    > p0WUvGeAMMTU8q/foeWR6W+w9Wu0jBxHnEOEkjbTqDHasMbL6e0j1sGtKVY3eqtG
+    > uRoDPyq44Q==
+
+Using 'mutt', we can now send this email. We will then use 'openssl smime'
+again on our recipient's machine to decrypt it using his private key.
+
+    $ openssl smime -inkey private.key -decrypt -in mail.p7m
+    > This content is encrypted, can you read it?
+
+
+=== Problem 2: Combining encryption and signature ===
+
+What we want now is to encrypt the content of our message and sign it so that
+the receiver can read the email and be sure as well that it comes from us.
+
+==== Resolution ====
+
+We will start by encrypting our message the same way we did before. But then,
+we will use 'openssl' again to sign it before actually sending it. For this
+purpose, we could also use 'mutt'. However, we will use 'openssl smime' in this
+example.
+
+Still having 'mail.p7m' be our encrypted message, the following command will
+digitally sign it using the sender's private key:
+
+    $ openssl smime -sign -inkey private.key -signer certif.pem -in mail.p7m -out signed_mail.p7m
+
+On the receiver's machine, we can now authenticate the sender using its public
+certificate as a Certificate Authority:
+
+    $ openssl smime -CAfile certif.pem -verify -in mail.p7m
+    > To: ojgg2@kent.ac.uk
+    > From: olivier.gayot@sigexec.com
+    > Subject: Encrypted message
+    > MIME-Version: 1.0
+    > Content-Disposition: attachment; filename="smime.p7m"
+    > Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m"
+    > Content-Transfer-Encoding: base64
+    >
+    > MIIBswYJKoZIhvcNAQcDoIIBpDCCAaACAQAxggFEMIIBQAIBADCBqDCBmjELMAkG
+    > A1UEBhMCRlIxETAPBgNVBAgMCExvcnJhaW5lMRMwEQYDVQQHDApCYXIgbGUgRHVj
+    > MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxFjAUBgNVBAMMDU9s
+    > aXZpZXIgR2F5b3QxKDAmBgkqhkiG9w0BCQEWGW9saXZpZXIuZ2F5b3RAc2lnZXhl
+    > Yy5jb20CCQD94c8uK91F/zANBgkqhkiG9w0BAQEFAASBgHRgbsuN8NugJAzynX+9
+    > tC300W0aqATHMsqXEzFJS4yA3PQDmgPpAL86iH/C5vAk9XQ1Fmnv0soIYaBTwqSH
+    > BraNZNKA90KvZPOAymGMVttCC7giWuBxzNOiruaPTnj9md0n9ps7/issftcj7VH6
+    > DZ1ic+9pjn8bgThqFoxmsGkMMFMGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIHxER
+    > UbQa6bqAMEOXZgXTurgcRt74OMS4xeSf1j2Z5abj1PSWBg60ldsbyhVuR2+8wllN
+    > wNi5FtbKFg==
+    >
+    > Verification successful
+
+By reusing the same command as before to decrypt the file using 'openssl
+smime', we can extract its content:
+
+    > This content is encrypted, can you read it?
+
+Using this technique, we can be certain that the message comes from the people
+we think and that no one was able to read the content unless they have our
+private key.
+
+